On 2/28/13 6:58 AM, Amos Jeffries wrote:
>
> Can we take a step back folks and outline _exactly_ what it is that
> needs protecting here?
>
> - the datum responded by DNS?
> - the HTTP channel?
>
The case we're talking about is where http://www.example.com:8080 and
https://www.example.com:4343 have the exact same content and services.
You don't want a man in the middle to be able to force clients to 8080
when a more secure encrypted service is advertised. One simple way
around this is not to have 8080 available for this purpose. Otherwise,
you want to ensure the information you are getting from the DNS is
accurate and complete. DNSSEC provides that capability.
Eliot